802.1x Basics
Who doesn’t like an additional layer of security within your enterprise network? 802.1x has been around forever, so let’s talk about what that brings to the table, shall we?
802.1x Foundations
802,1x is an IEEE standard for port-based network access control (sometimes referred to as PNAC or just NAC). Basically, it’s a layer 2 authentication method for devices that want to attach to a LAN or wireless LAN. It uses EAP (Extensible Authentication Protocol) authentication framework for LAN devices and EAPOL (Extensible Authentication Protocol Over LAN) for wireless devices.
Just a few notes here before we move on to the components and the process of 802.1x authentication
Before authentication, only EAPOL packets are allowed. Wired implementations allow STP and CDP protocols, however, CDP is optional. EAP allows for the exchange of arbitrary authentication data. Authorization is performed using downloadable ACLs (dACLs) or VLANs
802.1x Components
So what actually makes this all work?
802.1x has three main components to it. A Supplicant, which is the client (or client software), a Authenticator (or policy enforcement) which can be a switch/access point and then finally an Authentication Server (such as RADIUS). Next, lets look at the authentication process where these three pieces come into play.
802.1x Authentication Process
The authentication process starts when an EAP request identity frame is received, as a side note, a frame is sent when a port comes up or when an EAP Start request. Next, the Authenticator acts as a proxy between the Supplicant (client) and the RADIUS server. EAP data is encapsulated using two RADIUS EAP-specific attributes, then the authentication method is negotiated. Authentication is then performed, OK message means authentication was accepted/EAP success while the FAIL means access was rejected/EAP failure. If it fails, after a time out “quiet period”, it tries to reauthenticate.
So how do we configure 802.1x? Stay tuned and find out!
802.1x Configuration
I’ll just be covering the configuration from the Authenticator side of things, which is usually a switch or an access point.
First, you have to enable AAA services
aaa-new-model
Then define your RADIUS servers
radius-server host or radius-server name
Enable 802 1.x globally
dot1x system-auth-control auto
Configure 802.1x method list
aaa authentication dot1x default
Finally, configure your switch port
enable access port - switchport mode access
Activate 802.1.x - authentication port control auto
Make sure the port is acting as Authenticator - dot1x pre authenticator
Alright! That should do it! This is a very basic/foundational level of 802.1x authentication. Much more to come but I thought I’d just touch the surface of layer 2 authentication.